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IN THE CLAIMS 

For the convenience of the Examiner, all pending claims of the present Application 
are shown below whether or not an amendment has been made. 
Please amend the claims as follows. 

1. (Currently amended) A method of detecting viral code in subject files, 
comprising: 

creating an artificial memory region spanning one or more components of the 
operating operation system; 

cr e ating a custom version of an e xport table, wherein the custom version of the 
e xport tabl e is associated with a plurality of entry points and wherein the entry points 
comprise pr e d e termined values; 

emulating execution of at least a portion of computer executable code in a subject file; 

detecting an attempt by the emulated computer executable code to access the 
artificial memory region; and 

determining based on the attempt to access the artificial memory region that the 
emulated computer executable code is viraL 

monitoring accesses by the emulated computer executabl e code to the artificial 
memory region to d e t e ct looping in the execution of the emulated computer executabl e 
code; and 

d e t e rmining based on a d e tection of looping whether the emulated computer 
e x e cutable code is viral . 

2. (Canceled) 

3. (Canceled) 

4. (Currently amended) The method of claim 1 ? further comprising: 
emulating functionality of an identified the id e ntified operating system call while 

monitoring the operating system call to determine whether the computer executable code is 
viral. 
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5. (Canceled) 

6. (Canceled) 

7. (Canceled) 

8. (Original) The method of claim 1, further comprising monitoring access by 
the emulated computer executable code to dynamically linked functions. 

9. (Previously presented) The method of claim 8, wherein the artificial memory 
region spans a jump table containing pointers to the dynamically linked functions. 
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10. (Currently amended) A program storage device readable by a machine, 
tangibly embodying a program of instructions executable by the machine to perform method 
steps for detecting viral code in subject files, the method steps comprising: 

creating an artificial memory region spanning one or more components of the 
operating system; 

cr e ating a custom version of an export table, wherein the custom version of the 
export table is associated with a plurality of entry points and wherein the entry points 
comprise pr e d e t e rmin e d values; 

emulating execution of at least a portion of computer executable code in a subject file; 

detecting an attempt by the emulated computer executable code to access the 
artificial memory region; and 

determining based on the attempt to access the artificial memory region that the 
emulated computer executable code is viral. 

monitoring accesses by the e mulated computer executable code to the artificial 
m e mory region to detect looping in th e e x e cution of the emulated computer executable 
cod e ; and 

d e termining based on a detection of looping whether the emulated computer 
executable code is viral. 
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1 1 . (Currently amended) A computer system, comprising: 
a processor; and 

a program storage device readable by the computer systems, tangibly embodying a 
program of instructions executable by the processor to perform method steps for detecting 
viral code in subject files, the method comprising: 

creating an artificial memory region spanning one or more components of the 

operating system; 

creating a custom version of an e xport table, wherein the custom version 
of th e e xport table is associat e d with a plurality of entry points and wherein the 
e ntry points comprise predet e rmined values; 

emulating execution of at least a portion of computer executable code in a 
subject file; 

detecting an attempt by the emulated computer executable code to access 
the artificial memory region; and 

determining based on the attempt to access the artificial memory region 
that the emulated computer executable code is viral. 

monitoring access e s by the emulated computer executable code to the 
artificial memory region to detect looping in the execution of the emulated 
computer executable code; and 

determining based on a detection of looping whether the e mulat e d 
computer executable code is viral . 



DAL01:935465.1 



ATTORNEY DOCKET NO. 063170.6291 

6 



PATENT 
Serial No. 09/905,532 



12. (Currently amended) A computer data signal embodied in a transmission 
medium which embodies instructions executable by a computer for detecting in a subject file 
viral code that uses calls to an operating system, the signal comprising: 

a first segment comprising CPU emulator code, wherein the CPU emulator code 
emulates execution of at least a portion of computer executable code in the subject file; 

a second segment comprising memory manager code, wherein the memory manager 
code creates an artificial memory region spanning components of the operating system and 
cr e at e s a custom version of an e xport table, wherein the custom version of the e xport 
tabic is associated with a plurality of entry points and wherein the e ntry points compris e 
predetermin e d valu e s ; and 

a third segment comprising monitor code, wherein the monitor code detects attempts 
by the emulated computer executable code to access the artificial memory region and 
determines based on an attempt to access the artificial memory region that the emulated 
computer executable code is viraL monitors accesses by the emulat e d comput e r 
e x e cutable code to the artificial memory region to detect looping in th e e x e cution of th e 
emulated comput e r e x e cutabl e code; and 

a fourth segment comprising detection code, wherein the det e ction cod e 
determine s based on a detection of looping wh e ther the emulated computer ex e cutabl e 
cod e is viral, 

13. (Currently amended) The computer data signal of claim 12, further 
comprising: 

a fourth sixth segment comprising analyzer code, wherein the analyzer code emulates 
functionality of the identified operating system call to determine whether the computer 
executable code is viral. 



DAL01:935465.1 



ATTORNEY DOCKET NO. 063170.6291 

7 



PATENT 
Serial No. 09/905,532 



14. (Currently amended) An apparatus for detecting in a subject file viral code 
that uses calls to an operating system, comprising: 

a CPU emulator; 

a memory manager component that creates an artificial memory region spanning one 
or more components of the operating system and that creates a custom version of an export 
table, wherein the custom version of the export table is associated with a plurality of entry 
points and wherein the entry points comprise predetermined values; and 

a monitor component, wherein the CPU emulator emulates execution of at least a 
portion of computer executable code in the subject file, and the monitor component: 

detects an attempt by the emulated computer executable code to access 
the artificial memory region; and 

determines based on the attempt to access the artificial memory 
region that the emulated computer executable code is viral. 

monitors accesses by the emulated computer ex e cutable code to the 
artificial memory region to detect looping in the execution of th e e mulated 
computer executabl e code; and 

determines based on a detection of looping wh e th e r th e emulated 
computer executable code is viral. 

15. (Currently amended) The apparatus of claim 14, further comprising: 
an auxiliary component; and 

an analyzer component, 

wherein the auxiliary component emulates functionalities of an identified the 
identified operating system call, and the monitor component monitors the operating system 
call to determine whether the computer executable code is viral, while emulation continues. 

16. (Currently amended) The apparatus of claim 15 claim 1 4, wherein the 
auxiliary component emulates functionalities of the operating system call. 
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17. (Canceled) 

18. (Canceled) 

19. (Canceled) 

20. (Original) The apparatus of claim 14, wherein the artificial memory region 
created by the memory manager component spans a jump table containing pointers to 
dynamically linked functions, and the monitor component monitors access by the emulated 
computer executable code to the dynamically linked functions. 
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